Public Comments: August 2009 – WPF asks Treasury to get consumers’ consent before checking their credit reports

Background:

The World Privacy Forum filed comments urging the U.S. Treasury Department to obtain consumers’ consent before checking their credit reports. Consumers who participate in the government’s Home Affordable Modification Program (HAMP) — an Obama administration program created to help consumers renegotiate their mortgages so they can keep their homes — must allow the Federal Government to check their credit reports without first obtaining consent. This procedure sets a negative precedent, and is at odds with consumer expectations of privacy. The Treasury gave itself this power in an obscure set of “Routine Uses” in a Privacy Act notice published along with the proposed system of records for the program.

or Read comments below

—–

Comments of the World Privacy Forum regarding Notice of Proposed New Privacy Act System of Records for the Home Affordable Modification Program (HAMP), 74 Fed. Reg. 38484-38486, Department of the Treasury

Re: Notice of Proposed New Privacy Act System of Records for the Home Affordable Modification Program (HAMP), 74 Fed. Reg. 38484-38486.

The World Privacy Forum appreciates the opportunity to comment on the Treasury Department’s Notice of Proposed New Privacy Act System of Records for the Home Affordable Modification Program (HAMP). The notice appeared in the Federal Register on August 3, 2009 at 74 Fed. Reg. 38484-38486.

The World Privacy Forum is a non-partisan, non-profit public interest research and consumer education organization. Our focus is on conducting in-depth research and analysis of privacy issues, in particular issues related to information privacy, health privacy, and financial privacy. More information about the activities of the World Privacy Forum is available at our web site, <http://www.worldprivacyforum.org>.

Our objections to the system notice center on the routine uses. We are concerned about the potentially profound unintended consequences these routine uses may have for consumers who are already cash-strapped and experiencing financial setbacks. We note that consumers impacted by this system of records notice will be those individuals making loan modifications to their mortgages.

We believe most consumers who are working with the Home Affordable Modification Program are highly likely to be unaware of the problematic routine uses in the system of records notice. We note that the cited authority for the system of records is Public Law 110-343. That law is 169 pages long. We think that the Department should assist those reading the notice by citing the particular provisions of the Act that authorize the program.

Similarly, we observe that the safeguards described for this system include this language: Department and Financial Agent policies and procedures governing privacy, information security, operational risk management, and change management. We see no reason why the routine uses could not include a specific cross reference to the applicable policies and procedures. Any reader must undertake a considerable effort just to find the Department’s existing rules.

In our comments below, we reproduce the objectionable routine uses with their original numbers for clarity.

I. Objections to Routine Use (2)

Routine use 2 states:

(2) Disclose information to a Federal, State, or local agency, maintaining civil, criminal or other relevant enforcement information or other pertinent information, which has requested information relevant to or necessary to the requesting agency’s or the bureau’s hiring or retention of an individual, or issuance of a security clearance, license, contract, grant, or other benefit;

First, we object to this routine use as overbroad and unnecessary. If an individual is seeking a job, security clearance, license, contract, grant, or other benefit from a government agency, then the individual can and will consent to the disclosure of relevant information. At most, a routine use for this purpose should only allow for the disclosure of the fact that relevant information exists in the system to allow the requesting agency to obtain the necessary consent.

Second, we do not understand the limitation that information can only be disclosed to an agency “maintaining civil, criminal or other relevant enforcement information or other pertinent information”. What if an agency does not maintain any of this information? What is the purpose of the limiting language for this routine use?

Third, we do not understand the reference to a bureau as something distinct from an agency.

II. Objections to Routine Use (3)

Routine use 3 states:

(3) Disclose information to a court, magistrate, or administrative tribunal in the course of presenting evidence, including disclosures to opposing counsel or witnesses in the course of civil discovery, litigation, or settlement negotiations, in response to a subpoena where arguably relevant to a proceeding, or in connection with criminal law proceedings;

This routine use is illegal, and must be changed. It violates Doe v. DiGenova, 779 F.2d 74 (D.C. Cir. 1985). Disclosures in response to subpoenas require a court order. Disclosures for discovery are also problematic because they give information to a third party without restrictions. The proper procedure that complies with (b)(11) of the Privacy Act involves a stipulation signed by the judge in the case. Administrative tribunals may need a different solution. This routine use requires close review by a Department lawyer who knows something about the Privacy Act and about litigation.

III. Suggestions Regarding Routine Use (4)

Routine use 4 states:

(4) Provide information to a Congressional office in response to an inquiry made at the request of the individual to whom the record pertains;

We do not object to this routine use, but we suggest that there should be a requirement for a written request to a congressional office from the individual to whom the record pertains. The routine use is subject to abuse in the absence of an original written request.

IV. Objections to Routine Use (5)

Routine use 5 states:

(5) Provide information to third parties during the course of a Department investigation to the extent necessary to obtain information pertinent to that investigation;

This routine use is overbroad. It would allow disclosure of information from the HAMP system for any type of Departmental investigation, no matter how far removed from the HAMP program. We believe that the scope of disclosures under this routine use should be limited to investigations that relate to Department investigations of financial matters that have a nexus to the HAMP program.

V. Objections to Routine Use (6)

Routine use 6 states:

(6) Disclose information to a consumer reporting agency to use in obtaining credit reports;

We see no reason why credit reports cannot be requested with the consent of the individual. Anyone applying for help will sign an application form. Consent for obtaining a credit report can and should be included. Using a routine use to avoid obtaining consent is an abuse of the Privacy Act of 1974. This sets a negative precedent for the government, and defies consumer expectations based on how credit reports are acquired in the private sector as articulated by the Fair Credit Reporting Act.

VI. Objections to Routine Use (7)

Routine use 7 states:

(7) Disclose information to a debt collection agency for use in debt collection services;

We object to this routine use because it is overbroad. Any disclosures for debt collection purposes should be limited to debt collection activities undertaken for the Department and, preferably, for the HAMP program. As written, this routine use would support disclosures for debt collection services that have nothing to do with debts owed to the HAMP program, the Department, or even the federal government. This sets a negative precedent for the government.

VII. Objections to Routine Uses (8) and (10)

Routine uses 8 and 10 state:

(8) Disclose information to a Financial Agent of the Department, its employees, agents, and contractors, or to a contractor of the Department, for the purpose of ensuring the efficient administration of HAMP and compliance with relevant guidelines, agreements, directives and requirements, and subject to the same or equivalent limitations applicable to Department’s officers and employees under the Privacy Act;

We are confused about these two routine uses. First, number 8 says that the recipients will be subject to the same or equivalent limitations applicable to Department offices and employees under the Privacy Act. Number 10 does not say that recipients will be subject to those limitations. We are at a loss to understand why Financial Agents under routine use 10 are not treated the same way as Financial Agents under routine use 8.

Second, while we appreciate the “Privacy Act” reference in number 8, we think that the routine use can and should be clarified by stating expressly that all recipients will be receiving information will be contractors under subsection (m) of the Privacy Act.

We find the current language in the routine use unclear and ambiguous. If recipients must be subsection (m) contractors, then the change we propose will clarify that. If something else is intended, then the routine use should be revised to state more precisely what is meant by subject to the same or equivalent limitations applicable to Department’s officers and employees under the Privacy Act. Some provisions of the Act (e.g., criminal penalties) can only be applied to subsection (m) contractors. If there are to be two classes of recipients [subsection (m) contractors and others], then the Department needs to explain how the Act will apply to those two classes. The existing language is unclear and is guaranteed to create confusion within the Department, let alone elsewhere.

Third, it appears that routine use number 10 is completely unnecessary. All of the disclosures allowed by number 10 appear to be covered by number 8. We recommend dropping number 10.

VIII. Objections to Routine Use (9)

Routine use 9 states:

(9) Disclose information originating or derived from participating loan servicers back to the same loan servicers as needed, for the purposes of audit, quality control, and reconciliation and response to borrower requests about that same borrower;

We strongly object to this routine use because all disclosures covered by this routine use should be accomplished with the consent of the data subject. Using a routine use to avoid obtaining consent is an abuse of the Privacy Act of 1974. This routine use can materially affect consumers, and as such needs to be done with the consent of the data subject, as it is for the private sector. We believe consumers will be unpleasantly surprised by some of these routine uses when the impacts of these routine uses begin to show up in their lives and potentially their credit reports.

IX. Objections to Routine Use (11)

Routine use 11 states:

(11) Disclose information to financial institutions, including banks and credit unions, for the purpose of disbursing payments and/or investigating the accuracy of information required to complete transactions pertaining to HAMP and for administrative purposes, such as resolving questions about a transaction;

We object to this routine use because all disclosures covered by this routine use should be accomplished with the consent of the data subject. Using a routine use to avoid obtaining consent is an abuse of the Privacy Act of 1974. We reiterate that this routine use can materially affect consumers, and as such needs to be done with the consent of the data subject, as it is for the private sector.

X. Objections to Routine Use (13)

Routine use 13 states:

(13) Disclose information and statistics to the Department of Housing & Urban Development and the Federal Housing Finance Agency to improve the quality of services provided under HAMP and to report on the program’s overall execution and progress, if such agencies have jurisdiction over the subject matter of a complaint or inquiry, or the entity that is the subject of the complaint or inquiry;

We are at a loss to understand the final clause of this routine use. What is the complaint or inquiry that is relevant to the disclosure of information to HUD or FHFA for oversight purposes? We do not object to the first part of the routine use, but the last clause should be dropped.

XI. Objections to Routine Use (14)

Routine use 14 states:

(14) Disclose information to appropriate agencies, entities, and persons when (a) The Department suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (b) the Department has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the Department or another agency or entity) that rely upon the compromised information; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Department’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.

We have many objections to this routine use. We do not object to a security breach routine use as a general proposition, but we find the proposed routine use overbroad, lacking in limits on discretionary disclosures, and lacking in procedural protections.

a. First, we believe that the findings required to support any disclosure under this routine use should be made by specified high-ranking officials of the Department. As written a GS-2 clerk who “suspects” a compromise can make disclosures of considerable amounts of sensitive personal and financial information. We think that findings should be made and disclosures authorized by a Senior Executive Service or Schedule C official.

b. Second, the scope of disclosures allowed under this routine use should be severely limited. Disclosures should be expressly limited to specific data fields that a senior Department official has specifically determined to be the minimum necessary to disclose in order to protect the vital interests of a data subject who has been the victim of an actual breach.

c. Third, the term compromised needs to be better explained. The predicate for a disclosure under this routine use is a compromise of security or confidentiality. That term has no clear meaning, and the lack of a definition could create problems for the Department and for data subjects. Is a database compromised because a computer terminal that can access that database was left unattended for two minutes in a non-public area? Even that simple question cannot be clearly answered by the routine use. The routine use needs a definition and a process that must be met before any disclosures are allowed because of a compromise.

d. Fourth, why are disclosures allowed to persons? Under this routine use, every individual, company, and institution in the entire world is a possible recipient of disclosures under this routine use. That is overbroad, and the problem is not cured by clause (c). Clause (c) itself is too broad and too vague. Allowing everything to be disclosed to anybody in the hope that it might help cannot be justified under the Privacy Act.

e. Fifth, what restrictions will apply to recipients under this routine use? The routine use is so broad that a suspected breach could justify disclosing all personal records in the HAMP system to newspapers as a means of notifying data subjects about the possible breach. The newspapers could take all the disclosed information and reprint it, including loan amounts, and the like. Another recipient could take the information and sell it on the Internet. Another could exploit the data for marketing purposes. We objected above to the language that provided that some disclosures were to be subject to the same or equivalent limitations applicable to Department’s officers and employees under the Privacy Act. However, this routine use – which is much broader – does not even have that language. The routine use desperately requires restrictions on data use by recipients.

f. Sixth, many of the disclosures that may be appropriate in the event of a security breach would be more properly done only with the consent of the data subject. Consent may not be appropriate in all circumstances, but the routine use should provide that consent will be sought when appropriate and non-consensual disclosures will only be made when it is not possible to seek consent.

g. Seventh, we do not know what risk of harm means. As written any risk, no matter how small, and any harm, no matter how insignificant, would support a disclosure under the routine use. We believe that there should be clearly articulated standards so that the harms being mitigated by disclosure outweigh the risks of any new disclosure being considered.

We recognize that the addition of a security breach routine use has been recommended and that the Department may be following that recommendation. However, we are greatly concerned that overbroad and standardless routine use will only make things worse and not better. A security breach routine use needs to be carefully qualified so that it does not result in unnecessary disclosures that will only compound the original problem.

The World Privacy Forum appreciates the opportunity to offer comments. Please contact us with any questions.

To score is human. Ranking individuals by grades and other performance numbers is as old as human society. Consumer scores — numbers given to individuals to describe or predict their characteristics, habits, or predilections — are a modern day numeric shorthand that ranks, separates, sifts, and otherwise categorizes individuals and also predicts their potential future actions. This new report by Pam Dixon and Robert Gellman explores this issue of predictive scores and privacy.

This Jan. 30, 2014 report discusses a new right to restrict disclosure of health information under the updated HIPAA health privacy rule. The new provision called “Pay Out of Pocket,” also called the “Right to Restrict Disclosure” gives patients the right to request that their health care provider not report or disclose their information to their health plans when they pay for medical services in full. Navigating the new right will take effort and planning for patients to utilize effectively. This substance of this report is about the new patient right to restrict disclosure, and how patients can use it to protect health privacy.

This report focuses on government use of commercial data brokers, the implications for that usage, and what needs to be done to address privacy problems. The government must bring itself fully to heel in the area of privacy. If it is going to outsource its data needs to commercial data brokers, it needs to attach the privacy standards it would have been held to if it had collected the data itself. Outsourcing is not an excuse for evading privacy obligations. Report authors: Bob Gellman and Pam Dixon.